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^H Abstract. We define guarded variable automata (GVAs), a simple ex- 

■^^ ■ tension of finite automata over infinite alphabets. In this model the tran- 

sitions are labeled by letters or variables ranging over an infinite alpha- 
bet and guarded by conjunction of equalities and disequalities. GVAs 
are strictly more expressive than both finite memory automata (FMA) 
of Kaminski and Francez [9] , and variable automata of Grumberg et al. 
I_^ , [8]. They are closed under intersection, union, concatenation and Kleene 

pL^ ■ operator, and their nonemptiness problem is decidable. We show that 

lyj I the simulation preorder of GVAs is decidable. Our proof relies on the 

O ■ characterization of the simulation by means of games and strategies. 

T-H ■ 

> ■ 1 Introduction 

-vj '. The simple and powerful formalism of finite automata is widely used 

\^ ' for system specification and verification. Considerable efforts have been 

T^ ■ devoted to extend finite automata to infinite alphabets: finite memory 

O . automata [9] , data automata [5] , variable automata [8] , fresh- variable au- 

tomata [3], only to cite a few (see [10] for a survey). When developing for- 
malisms over infinite alphabets, the main challenge is to preserve as much 
as possible useful properties such as compositionality (i.e. closure under 
^ I basic operations) and decidability of basic problems such as nonempti- 

j^ ■ ness, membership, universality, language containment, simulation, etc 

The language containment problem is a particularly important one in 
applications like formal verification. For instance, whether an implemen- 
tation is conform to a specification amounts to decide the containment 
L{A) C L{B), where A (resp. B) is an automaton formalizing the behav- 
ior of the implementation (resp. specification), and L{A) is the language 
of words recognized by A. 

The containment problem for finite automata (FAs) can be solved 
by using determinization, in a complete but inefficient way. Moreover, 
for several classes of automata over infinite alphabets, the containment 
problem turned out to be undecidable. This is the case for finite memory 
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automata [11] and variable automata [8]. As a practical alternative ap- 
proach, a simulation preorder can be employed to overapproximate the 
containment relation (e.g. [7]). Indeed, simulation-based techniques are 
sometimes more efficient. For instance a simulation between two finite 
automata can be computed in polynomial time. To our knowledge, sim- 
ulation has not been studied for the classes of automata over infinite 
alphabets from [9] and [8]. 

Contributions. In this paper we define guarded variable automata, or 
GVAs, a natural extension of finite automata over infinite alphabets. In 
this model the transitions are labeled by letters or variables ranging over 
an infinite alphabets and guarded by conjunction of equalities and dis- 
equalities. Besides, some variables are refreshed in some states, that is, 
these variables can be released so that new letters can be bound to them. 
The potential applicability of our model in verification (e.g. model check- 
ing [4]) and service composition [1] follows from the fact that GVAs are 
closed under intersection, union, concatenation and Kleene operator. The 
nonemptiness problem is decidable for GVAs, and the membership is NP- 
Complete. However, their universality and containment problems are un- 
decidable. We introduce a simulation preorder for GVAs and show its 
decidability. The proof relies on a game-theoretic characterization of sim- 
ulation. Hence GVAs enjoy nice closure and decidability properties and 
we can show that they are more expressive than both finite memory au- 
tomata and variable automata. 

Related work. GVAs are closely related to the classes of automata 
in [9,8,3]. but these classes are strictly included in GVAs. Here we give a 
procedure to decide the simulation preorder for GVAs. Simulation has not 
been studied, to our knowledge, for finite memory automata and variable 
automata, among other models over infinite alphabets. 
Paper organization. Sec. 2 recalls standard notions. Sec. 3 introduces 
the new class of guarded variable automata. Sec. 4 shows closure prop- 
erties and decidability of nonemptiness for GVAs. Sec. 5 introduces the 
simulation preorder of GVAs and shows its decidability. Sec. 6 studies the 
expressiveness of GVAs with respect to FMAs and variable automata. Fu- 
ture work directions are given in Sec. 7. Missing proofs are provided in 
external appendices. 

2 Preliminaries 

Let ^ be a finite set of variables, U an infinite alphabet of letters. 
A substitution is an idempotent mapping {xi i->- ai,...,Xn ^ an} U 



U^g^ja 1-7' a} with variables xi, . . . ,Xn in X and ai, . . . ,an in X U U. 
We call {xi,...,x„} its proper domain, and denote it by dom{a). We 
denote by Dom{a) the set dom{a) U Z". We denote by codom{a) the set 
{a S Z" I Bx S dom[a) s.t. o"(a;) = a}. If all the aj,i = 1 . . .n are let- 
ters then we say that a is ground. The empty substitution (i.e., with 
an empty proper domain) is denoted by 0. The set of substitutions from 
Af U Z" to a set yl is denoted by Cx,A^ ^^ ^ly (x, or simply by C, if there is 
no ambiguity. If ui and (T2 are substitutions that coincide on the domain 
dom{ai) n dom{a2), then ui U (T2 denotes their union in the usual sense. 
We define the function V : ZU A' — > V{X) by V(a) = {a} if a G A', and 
V{a) = 0, otherwise. For a function F : A ^ B, and A' C A, the restric- 
tion of F on A' is denoted by Fij^i. If /c G N then we let [k] = {1, . . . , A;}. 
A two-players game is a tuple {Pose,Posa,M,p*), where Pos£;,Posa 
are disjoint sets of positions: Eloise's positions and Abelard's positions. 
M C (Pos£;UPosa) X (Pos£;UPosa) is a set of moves, and p* is the starting 
position. A strategy for the player Eloise is a function p : Pos^; — ?• Pos£;U 
PosA, such that (p, p{p)) G M for all p G Pos^;. A (possibly infinite) play 
IT = (pi, p2, . . .) follows a strategy p for player Eloise iff pj+i = /9(pj) 
for all i G N such that pi G Pos^. Let W be a (possibly infinite) set of 
plays. A strategy p is winning for Eloise from a set S C Pos£; U Pos^i 
according to W iff every play starting from a position in S and following 
p belongs to W. 

3 Guarded variable automata 

In this section we define formally the class of GVAs. It is an extension of 
FVAs [3] with logical constraints, called guards. 

Definition 1. The set G of guards over E L) X is inductively defined as 
follows: G := true | a = (5 \ a ^ /3 \ G AG, where a,/3 G UU X. 
We write a \= g if a substitution a satisfies a guard g. 

We notice that adding the disjunction operator to the guards would 
not increase the expressivity of our model, see Remark 1 in Appendix A. 

A guard is atomic iff it is either true, an equality, or an inequal- 
ity. Given a finite set S = {gi, . . . ,gn} C G of atomic guards we de- 
note hy f\S the guard AlLi 9i- ^"^ particular /\& = true. We let J]^ 5 = 
{A 5" I C S" C 5}. The set of variables of the guard G = /\S, denoted 
by V(G), is defined by V{G) = Ug^sV{g) and VixOy) = V(x) U V(y)), 
9 G {=, 7^}. The application of a substitution o" to G is denoted by cr{G). 
We shall write o" h G if there exists a substitution a' such that a \= ij'{G). 



Let D C X and 5 C G be a finite set of atomic guards, and let G = /\ S. 
The deletion of the variables in D from G, denoted by G^ is defined by 
G^ = f\{geS \ V{g)nD = $}. 

The formal definition of GVAs follows. 

Definition 2. A GVA is a tuple A = {X!, X, Q, Qq, t, 5, F, k) where U is 
an infinite set of letters, X is a finite set of variables, Q is a finite set of 
states, Qo C Q is a set of initial states, t : X ^- H is a partial function 
called the initial assignment of variables, 5 : Q x (Z'_4 U ^) x G ^^ 2*^ is 
a transition function where Z"^ is a finite subset of U, F Q Q is a set of 
accepting states, and n : X ^ 2^ , called the refreshing function. 

For a GVA A, we shall denote by Z"^ (resp. G_4) the finite set of letters 
(resp. of atomic guards) that appear in the transition function of A. 
For a path tt = q^ -^^ . . . ^" g„ in A, we define r/o('/r) = qq and 
7?/(7r) = Qn- Let tt' = Qn " ^" • • • '^™ Qm be another path in A. 
The composition of the paths tt and it' , denoted by vr o vr', is the path 

// Oil,gi Oi„,gn a„ + l,gn + l Otm,gm 

TT = qo ^ ... ^ Qn -4 ... ^ Qm- 

The semantics of guards has to be clarified: while taking a transition 
some variables in the guard of this transition may be free, i.e. not asso- 
ciated with letters, and hence they must be instantiated such that the 
guard holds. The formal definitions of configuration, run and recognized 
language follow. 

Definitions. Let A = {U, X,Q,Qo,t,5,F,k) be a GVA. A configu- 
ration is a pair (q, M) where q (z Q and M : X ^- U is a substitu- 
tion. We define a transition relation over the configurations as follows: 
{qi,Mi) —7- ((72) -^2)) where a (z U, iff there exist a substitution a and a 
label a G S U X such that 52 £ ^{qi,0(,9) o,nd dom{a) fl dom{Mi) = 
and either: 

i) a G Dom{Mi), Mi(q) = a, dom{a) = V{Mi{g)), (Mi \ii a) \= g and 
M2 = (Ml 1+) o-)|^, with D = Dom{Mi tt) cr) \ n-\q2) 
or 

ii) a (^ {X\ Dom{Mi)), dom{a) = {a} U V{Mi{g)), (Mi tt) cr) ^ 5 and 
M2 = (Ml tt) cr)|£,, with D = Dom{Mi tt) cr) \ ^^^92)- 
A finite word w = W1W2 ■ ■ ■ Wn € U* is recognized by A iff there exists a 
run (go,^o) ^ (91,^1) ^ ... ^ {qn,Mn), such that Mq = t, qo e Qo 
and qn G F. The set of words recognized by A is denoted by L{A). 

Example 1. Let Ai and A2 be the GVAs depicted on the right with Ki 
the refreshing function of Ai, i = 1,2, and Ki(y) = {po} and K2{x) = 
i^2{y) = {%}■, and Ti, i = 1,2 their initial assignment with n = T2 = 0. 
The language L{Ai) consists of all the words in U* in which the last letter 



is different than all the other letters. This 
language can be recognized by a variable 
automaton [8] but not by a FMA [9]. No- 
tice that while making the first loop over 
PO) the variable x of the guard {y ^ x) 
must be instantiated. On the other hand, 
the language L{A2) = {wiW2 ■ ■ ■ W2-n \ 
Wi £ U, n > 1, and W2-i-i 7^ W2.i, Vi G 
[n] } can be recognized by a FMA but not 
by a variable automaton. 
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4 Properties of guarded variable automata 

We study the closure properties of GVAs and some basic decision prob- 
lems. Firstly, we show that GVAs and GVAs with empty initial assignment 
recognize the same languages. The idea is to turn the initial assignment 
To into the guard cj) = /\{{z = a) \ to{z) = a} and propagate it in the 
transitions of the automaton, and remove from this guard the variables 
which are refreshed at each state. 

Lemma 1. For a GVA (with initial assignment) we can construct a GVA 
with empty initial assignment recognizing the same language. 

Theorem 1. GVAs are closed under union, concatenation, Kleene oper- 
ator and intersection. They are not closed under complementation. 

For the closure under union we simply take the disjoint union of the two 
GVAs. The closure under Kleene operator and concatenation follows from 
the fact that we can extend GVAs with e-transitions (and trivial guards) 
and show that they have the same expressivity as GVAs. (Claim 4 in 
Appendix B.2). The closure under intersection is a consequence of the 
fact that computing the intersection of two GVAs amounts to computing 
their Cartesian product, which can be turned into a GVA (Appendix B.2). 
For the complementation, consider the language L2 of all the words in 
which there is a letter that occurs at least twice. In fact, L2 is GVA- 
recognizable [3] . The complement of L2 consists of all the words in which 
all the letters are different, which is not GVA-recognizable since we need 
to compare each letter Wj to all the previous letters u;j,i < j. Thus we 
need an infinite number of states. 

Despite GVAs are not closed under complementation, FAs can be 
complemented within the class of GVAs. That is, given a FA F there exists 



a GVA A such that L{A) = U* \ L{F), see Proposition 1 in Appendix 
B.2. It is worth mentioning that FAs cannot be complemented within the 
subclass of FVAs. 

Decision procedures for GVAs. We study the decidability and complexity 
of classical decision problems: Nonemptiness (given A, is L{A) 7^ 0?), 
Membership (given a word w and A,isw a L(A)'!), Universality (given A, 
is L{A) = 17*?), and Containment (given Ai and A2, is L{Ai) C ^(^2)?)- 

Theorem 2. For GVAs, Membership is NP-complete, Universality and 
Containment are undecidahle. 

The undecidability of Containment and Universality is a consequence 
of the undecidability of these problems for variable automata [8, Theorem 
5]. However, the decidability of Containment if one of the GVAs is a finite 
automaton results from the fact that the intersection of the languages in 
this case is regular since the Cartesian product of a GVA and a FA yields 
a FA. The proof is the same as that of Lemma 17 of [3]. Hence, 

Proposition 1. The containment problems between a GVA and a FA are 
decidable. 

For Nonemptiness of GVAs (and more generally the reachability prob- 
lems), we introduce first the so called normal form of GVAs. It is obtained 
by combining the stretched and quotient automaton defined below. 

G VA 's stretched form. It is useful to formalize the notion of a variable 
being free in a state. 

Definition 4. Let A be a GVA. A variable x is free in a state q of A if 
any run starting from the initial state and leading to q yields a configu- 
ration {q,M) in which x ^ Dom{M). 

We define next the notion of stretched form for GVAs so that we can 
check whether a variable is free in a state without referring to the run. 

Definition 5. Let A = {U,X,Q,Qo,F,6,k) be a GVA. We define the 
stretched form of A to be the GVA A' = {U,X,Q' ,Q'q,F',5' ,k') defined 
by: 

'Q' ={{q,X)\q£Q andX CA:}, 
F' ={{q,X)\qeF andX CX}. 
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The transition function 5' is defined by {q',X') € 5'{{q^X),a^g), where 
aG EUX andgeG, if and only if, X' = {X\{{a}UV{g)))UK-^{q'). Fi- 
nally, the refreshing function k' is defined by k'{x) = {{q, X)\q G k{x)}. 

Lemma 2. Let A = {U, X, Q, Qo, F, 5, k) be a GVA and A' = {U, X, Q' , 
Q'q,F' ,6' ,k') be its stretched form. Then, L{A) = L{A'). Besides, a vari- 
able X is free in a state {q,X) £ Q' iff q £ X. 

Quotient GVA. Out of A we construct the GVA ^/~ such that each 
state q of ^/~ contains the guards which hold in q depending on the path 
leading from the starting state of A to q. 

Definition 6. Let A = {S,X,Q,Qo,F,5,k) be a GVA. The quotient 
automaton of A is the GVA Ai^ = {U,X,Q' ,Qq,F' ,6' , k') defined by: 

' Q' ={{q,4>)\q£Q and4>£X\GX\, 
Q'o = {{q,t'rue)\q£Qo}, 
F' ={{q,(t))\q£F and^^WGj^}, 

The transition function 5' is defined by {q' , {g /\ 4')'^ ''^^) G 6'{{q,(j)),a,g) 
if, and only if, q' G 5'{q,a,g), where a £ X U U and g £ n'^-4- ^^^ 
function k! is defined by k'{x) = {{q, </>) j g G k{x) and <p £Y\ ^a}- 

Lemma 3. There exists a run qQ,MQ -^ ... ^" qn,Mn in A if, and 
only if, there exists a run {qo,true), Mq ^^ . . . ^" (g„, </>„), M„ in ^/~ 
such that Mi \= (pi, for all i = 0, . . . ,n. 

For a GVA A, the normal form of A is the GVA A',^, where A' is the 
stretched form of A. 

Lemma 4. Let A be a GVA in the normal form. Let vr = (go, -'^Oi ^Po) —^ 
. . . -^^ {qn,Xn,4>n) bc a path in A with (po = true and qo £ Qq. Then, 
there is a run over tt iff\-(pn and \- (pi A gi+i, for all i = 0, . . . ,n — 1. 

The following Corollary shows that to deal with the reachability in a 
GVA in the normal form, it suffices to consider simple paths. 

Corollary 1. Let A be a GVA in the normal form. Let vri o 7r2 o tt^ be a 
path in A with ?7/(vri) = rjQ{'K2) = ??/(vr2) = ?7o('/r3). If there is an accepting 
run in A over vri o 7r2 o tt^ then there is an accepting run over vri o n^ as 
well. 

Summing up the results shown so far, we are ready to prove the main 
result of this section. 



Theorem 3. Nonemptiness for GVAs is decidahle. 

Proof. Let ^ be a GVA in stretched form. Let ^/~ be its quotient au- 
tomaton. From Lemma 3 it follows that L{A) = iff L^Ai^) = 0. It 
follows from Corollary 1 that to check the nonemptiness of ^ /~ it is suf- 
ficient to look for an accepting run over a simple path of Ai^. D 

5 Simulations for GVAs 

We define and study the simulation preorder for GVAs, it is a generaliza- 
tion of the standard simulation for FAs. The idea is that the simulation 
for GVAs is over pairs of configurations. To simplify the presentation, we 
shall only consider in this section GVAs in which there is a unique initial 
state and all the states are accepting. The formal definition of simulation 
is given in Def. 11, Appendix C. In order to study the decidability of 
the simulation, we provide next an equivalent game-theoretic definition 
in which we make explicit the evolution of the configurations. 

Definition 7. Let Ai = (i7, ^"1, Qi, (7q,Tq , (5i, Fi, ki) and A2 = {U,X2, 
Q2,Qo^Tq,62, F2, K2) be two GVAs where ^1 n ,^2 = 0. Let Pos be the set 
of positions reachable from p* = {{tq , Qq) , {tq , Qq)^ ^^ by the set of moves 
M = Ma^ Me, where: 

Ma = {((cJi,gi),T2)^^ (((aia7)|i),gO,r2,(cJiW7,a))^ 
I g'l G 5i(gi,a,5ri) 

and D = Dom{ai tt) 7) \ k^ (g^) 

and o"! I±) 7 ^ gi 

and 7 :V(ai (a)) UV(ai (51)) ^r} 
Me = { ((0-1,^1), (0-2,^2), (era, a))^^ ((cri,gi), ((0-2 W 72)|D2>52))^ 

I q2^S2{q2,^,g2) 

and D2 = Dom{a2 W 72) \ ^2 (92) 

and 71(0-3(0)) = 72 (0-2 (/3)) 

and 72 \= (72(92) 

and 72 :V(f72(/3))UV(a2(52))^i:} 

We let FosE = Pos n ((^"1 x Qi) x {(xi x Q2) x {(xi x Z" U -Y) and 
PosA = Pos n {Cxi X Qi) X {(x2 X Q2)- The simulation game of Ai by 
A2, denoted by G{Ai,A2), is the two-players game {Pose,Posa,M,p*). 
As usual, any infinite play is winning for Eloise, and any finite play is 
losing for the player who cannot move. And thus we write Ai ^ A2- 

The simulation problem for GVAs is the following: given two GVAs 
Ai and A2, is Ai < ^2? 



5.1 Decidability of the simulation problem 

In this section we show that the simulation problem is decidable. The 
idea is that this problem can be reduced to a simulation problem over 
the same GVAs in which the two players instantiate the variables from a 
finite set of letters, as proven in Proposition 2. 

Definitions. Let Ai = {U,Xi,Qi,qQ,Ti,6i,Fi,Ki) and A2 = {S,X2, 
Q2,Qo,T2,62, F2,K2) be two GVAs. We define G{Ai,A2) to be the game 
obtained by restricting the codomain of ^ to Cq in the rules of Eloise 
Me and Abelard Ma in Def 7, where Cq = 2J_a^ U T^j U {Xi x X2) U 
{X2 X A'l) U codom^Ti) U codom{T2)- 

The following Lemma states an immediate property of the game Q. 

Lemma 5. Let Ai,A2 be two GVAs. Then, the game Q{Ai, A2) is finite. 

In order to prove Proposition 2 we need to introduce the notion of coher- 
ence between substitutions and between game positions. The coherence 
relation was introduced in [3], we reproduce it here. 

Definition 9. Let C be a finite subset of U. The coherence relation Nf^C 
C X C between substitutions is defined by a N^ a iff the three following 
conditions hold: 

1. dom{a) = dom{a), 

2. If cf(x) G C then o{x) = a{x), and if a{x) £ C, then a{x) = (t(x), for 
any variable x G dom{a), and 

3. for any variables x,y G dom{a), a{x) = a{y) iff a{x) = cr{y). 

The definition of the coherence between game positions, still denoted by 
N(7, follows. 

Definition 10. Let C be a finite subset of U, and A\ = {S,Xi,Qi,qQ, 
Ti,6i,Fi,Ki), and A2 = {^,X2,Q2,qo,T2,62,F2, K2) be two GVAs s.t. Xi 
(1X2 = 0. Let Pose (resp. Posa) be the set of Eloise's (resp. Abelard's) 
positions in the game G{Ai,A2). Then we define the relation: N^ C 
PosA X PosA U Pos£; X Pos£; by: 

• For any ai,ai of proper domain included in Xi (i = 1,2) we have: 

(((^l,Ql),(^2,g2))^Nc ((fTl,gi),(CT2,92))J iff{^1^^2)^C (<TlW(T2)- 

• For any ai , ai of proper domain included in Xi (i = 1 , 2), for any 

substitutions a, a with proper domain included in Xi, we have: 

{{ai U a) W (T2) Nc {{ai U a) W ^2) iff 

(((^1, gi), (^2, 92), (a-, a))^ Nc ((cTi, Qi), (0-2, 92), (o-, a))^) . 



Now we are ready to show that the games Q and Q are equivalent in the 
following sense: 

Proposition 2. Let Ai = {U,Xi,Qi,qQ,Ti,5i,Fi,K,i) and A2 = {U,X2, 
Q2,'lo,T2,52, F2,K2) be two GVAs. Then, Eloise has a winning strategy 
in Q{Ai,A2) iff she has a winning strategy in ^(^1,^2)- 

Proof. Up to renaming of variables, we can assume that X\'r\ X2 = 0. 

For the direction "=>" we show that out of a winning strategy of 
Eloise in Q(^A\^A2) we construct a winning strategy for her in ^(^1, ^2)- 
For this purpose, we show that each move of Abelard in Q{^A\^A2) can 
be mapped to an Abelard move in ^(^1,^2), and that Eloise response 
in ^(^1,^2) can be actually mapped to an Eloise move in Q[^A\^A2)- 
This mapping defines a relation 7^ between the positions of Q{^A\^A2) 
and the positions of Q{^A\^A2)- Formally, 

n ^ P0Si5(^(^i,^2)) X P0Si5(^(^i,^2))U 
P0SA(aMl,^2)) X P0Sa(^(^1,^2)), 

such that if (p, p) G 7^, and the move p — > p' in G{Ai,A2) is mapped to 
p — )• p' in Q{Ai,A2), or p ^- p' in Q{Ai,A2) is mapped to p — > p' in 
Q{Ai,A2), then (p', p') E TZ. Furthermore, we impose that the following 
invariant (Inv-N) holds: If (p, p) € 7^ then p N^ p, where C = Hji,^ U 
Ej\^^ [Jcodom{Ti)[Jcodom{T2). We recall that the variables in G{Ai,A2) are 
instantiated from the finite set of letters Cq = CU {Xi x X2) U {X2 x Xi). 

The main part of the proof consists in finding the right way to relate 
the instantiation of the variables in G{Ai,A2) and G{Ai,A2)- For this 
purpose, given two sets Si and S2 of alphabets such that ^i PI S2 = C 7^ 0, 
we define a function 0J' ^ : Cx,Si x Cx,Si x Cx,S2 ~^ ^x,S2^ that given 
three substitutions M, 7 and M' such that dom{M) n dom{'j) = and 
M Nc M', constructs a substitution 7' = 0^'-''^^M,-f,M') such that 
M a 7 Nc M' ttJ 7'. 

To show how to use 0, assume p = ((o"i,Q'i), (o"2,(?2))a is a position 
in G{Ai,A2), and 7 is an instantiation made by Abelard from p (i.e. 7 
in the move M^ of Def. 7). Assume also that p = ((cti, gi), (^■2, (72))a is a 
position in ^(^1, ^2) such that (p, p) S 7^. Then, Abelard's instantiation 
7 from p is defined by 7 = 0^' "'(ai tt) o"2,7,a'i l+l CT2). 

For the other direction, Eloise's instantiation of the variables in 
G{Ai,A2) from U is related to Eloise's instantiation of the variables 
in G{Ai,A2) from Cq by following the same principle. Following this con- 
struction, we ensure that the invariant (Inv-N) is always maintained. 
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The proof of the direction (■<=) is similar to the one of (^): we follow 
the same instantiation principle and we keep the same definition of the 
N-coherence. D 

It follows from Lemma 5 and Proposition 2: 
Theorem 4. The simulation problem is decidable for GVAs. 

6 Comparison with related classes of automata 

In this section we argue that GVAs are strictly more expressive than 
variable automata [8] and FMA [9]. The latter models are incomparable. 
Firstly, we recall that variable automata is an extension of FA in which 
the transitions are labeled by letters or variables among X U {y}. Given 
a variable automaton B, the main idea is that the variables in ^ U {y} 
range over S \ Sts, where i7g is the finite set of the letters appearing in 
the transition function of B. Besides, the instantiations of y differ from 
the instantiations of the variables in X. Out of B we can construct a GVA 
A recognizing the same language. Lemma 8 in Appendix D.l. In fact, A 
can mimic B by turning the above constraints on the variables X U {y} 
into guards, and refreshing only the variable y in the source states of 
the transitions labeled with y. We emphasize that this construction does 
not imply directly that the simulation for variable automata is decidable 
although it is decidable for GVAs. 

Secondly, we recall that a FMA is a 7-tuple J^ = {U,k,Q,qo,T, q,6,F) 
where k € N"*" is the number of registers, Q is a finite set of states, go & Q 
is the initial state, r : [A:] ^ Z" is a partial function called the initial 
assignment, g : Q ^- [k] is a partial function called the reassignment, 
6 : Q X [k] ^ V{Q) is called the transition function, and F C Q is the 
set of final states. Intuitively, given a current assignment R : [k] ^- E, 
when a FMA T is in state q and reads a symbol a, then T changes its 
state into q' if q' G 5{q,i) provided that R{i) equals a. If a ^ codom{R), 
then T rewrites a into the register q{p) and changes the state into q' if 
q' S 6{q, g{q))- The formal definition of the run of FMA is in Appendix 
D. 

We can show that for every FMA with k registers and n states, we can 
construct a GVA with fc + l variables and 0(n- (/c + l)!) states recognizing 
the same language. Lemma 9 in Appendix D.2. The idea is that k variables 
are used to mimic the k registers and the remaining variable is used 
to store the current letter. In fact, this correspondence between the k 
registers and the k + 1 variables can change depending on the transitions 
of the FMA. 
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Finally, since the language L{Ai) (resp. L{A2)) of Example 1 can not 
be recognized by any FMA (resp. any variable automaton) then: 

Theorem 5. GVAs are strictly more expressive than FMA and variable 
automata. 

7 Conclusion 

It is worth investigating the decidability of the containment problem for 
the subclass of GFVAs without disequalities in the guards. We also plan 
to apply our result on GFVAs simulation to the synthesis of web service 
composition. In this context, disequalities should be useful to express 
security policy enforcement on services [6,2]. 
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Appendices 

A Remarks for Section 3 

Remark 1. It is possible to consider the disjunction operation (V) in the 
guards but one can show that any GVA, in which the guards contain the 
disjunction, can be turned into a GVA recognizing the same language 
and in which the guards are without disjunctions, i.e. in the set G defined 
earlier. But we must be careful about the instantiation of the potential 
free variables present in the guard: a transition qi ' — > q2 can be equiv- 
alently turned into two transitions qi ' — > q2 and qi ' — > q2, where 
^1 = AxesM = ^) (^esp. E2 = Ay^s^iy = y)) and Si = V{g2) \ V{gi) 
(resp. 52 = V(5i)\V(52)). 

B Proofs for Section 4 

B.l GVAs ^vith empty initial assignment 

Claim 1 Let g be a guard, a a substitution and D Q X . If a \= g then 



a0 \= g^ where D = Dom{a) \ D. 



Proof. Assume g = AiG/ 9^ where every gi is an atomic guard. The proof 
is by induction on \D\. If D = 0, then the proof is trivial since /\ = true. 
For the induction case, assume D = {x} tt) D' . On the one hand, we have 
D = Dom{a) \D = Dom{a) \ {{x] tt) D') = {Dom{a) \ {x}) \ D' . On 
the other hand, g^ = g^^s^^ = {g^^')^ . li cj \= g, from the induction 

hypothesis we have a\Dom{a)\{x} N 5^"^^ and <y\{Dom{a)\{x})\D' |= {g^''^)^' ■ 

D 

Lemma 1. For a GVA (with initial assignment) we can construct a GVA 
with empty initial assignment recognizing the same language. 

Proof. Let A = {U, X, Q, qo, tq, 5, F, k) be a GVA. Define 

^ = /\{{z = a) I Mz) = a} (1) 

Let ^ = Cdom{To),codom{To)- We let A' = {S, X, Q' , q^, F' , 5', k') defined by: 
Q' = {(.Q,T)\q G Q andr eC} 

Q'o = (QO, {To)\dom{To)\K-^{qo)) 

F' = {{q,T)\q€F and r € C} 
13 



The transition function 6' is defined by: 

{(i',t\d) ^^'{{q,T),a,g ^(|)\dom{T)) iff q'^^{Q,a,g), 

where a G EUX and 5 € G and t G £, and D = do'm{T)\K^^ {q') . Finahy, 

k'{x) = {{q, r) I g G k{x) and r G ^}. 

The fohowing Claim is straightforward. 
Claim 2 l^e have that tq \= (p. 

Claim 3 Let Dq = dom{To) \ k^^ (go) and let w = wi . . . Wn be a word in 
U^. There exists a run 

go, Afo — > qi,Mi-^ ... — > qn, M„ 

in A over w, where Mq = (To)mg i/ and only if, there exists a run 

(go, To), Mo > (gi,Ti),Mi ^ ... > {qn,Tn),M^ 

in A' over w, where Mq = 0, to = to|Doj ^'^'^ /^'^ ^^^ ^ ~ 0, ... n — 1, 
^j+1 = (j)\dom(Ti) J and the following three invariants hold: 

Ti \= 0i+i, (Inv-1) 

Ti+i C Af/+i, (Inv-2) 

M,+i = M/+1, (Inv-3) 

Proof (Of Claim 3). The proof is by induction on n > 1, the length of 
the run, in both directions. 

— Base case n = 1. 
^) Let 

def 

Ml = (Mo tt) a)\D, where dom{a) = V(Mo(5'i)) U V(Mo(ai)) 
and D = Dom{MQ W ct) \ K^^{qi) 
and Mo 1+) cr 1= 5^1 
and (Mo ttJ a){ai) = wi 

14 



We must show the existence of a substitution a' such that: 

M[ = (Mot+Jo-')|D', where 

dom{a') = V(M^(5i A (j^i)) U V(M^(ai)) 
and D' = Dom{M'Q tt) a') \ K-^{qi) 
and Mg tt) cr' ^ 51 A (/>i 
and (Mq 1+) cr')(ai) = wi 
Since M'q = 0, then M( can be rewritten as 

M[ = a'ljji, where dom{a') = V{gi A cpi) U V(ai) 

and D' = Dom{a') \ K~^{qi) 
and a' \= gi A 4>i 
and o-'(ai) = wi 

We take a' = Mq tt) a, and we must show that Mq tt) o" ^ 51 A (/)i, 
that is, we must show Motdo" |= 0i. From Claim 2 we have tq |= 0, 
hence p^ = Mq = (to)|Do N 0''"'(''°) = </>i, £> = D' and Mi = M(. 
Thus the invariants (Inv-1) and (Inv-3) hold. To prove (Inv-2), on 
the one hand we have tq = Mq and pi = (To)£)om(T)\K-i(gi)- Oii 
the other hand, M[ = Mi = {MQ^a)\oom{MQ\iia)\K-^{q^)- Therefore, 
n C M(. 

<^) Let M[ (as in the previous direction) and we find a substitution 
a such that Mi exists. We take a = a' \ Mq. The proof that the 
invariants hold is similar to the previous direction. 

Induction case. Assume the claim holds up to n. Let us prove the 

equivalence for n + 1. 

^) Let 

def 

Mn+i = (M„ W a)\D, where dom{G) = V{Mn{gn+i)) U V(M„(a„+i)) 

and D = Dom{Mn tt) cr) \ K^^{qn+i) 

and M„ tt) 0- ^ 5„+i 

(M„ tt)cr)(a„+i) = -Wn+i 
We must show the existence of a substitution a' such that 
M;+/|/(M>ct')|z)^ where 

dom(a') = V(M;(5„+i A 0„+i)) U V(M;(a„+i)) 
and D' = Dom{M^ tt) a') \ K'^{qn+i) 
and M;^ tt) cr' 1= gn+i A (/)„+i 

(M;tiJo-')(a„+i) = w„+i 
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From the induction hypothesis we have r„ C M^ and M„ = M^. 
Since t„_i |= (pn then by applying Claim 1, we get r„ \= (j)n+i- 
Thus we take a' = a. Hence M!^_^-^ = Mn+i and D' = D. We must 
show that Mn ^ (J \= gn+i A ipn+i- But this holds since r„ C M„ 
and Tn \= 4>n+i- It remains to show that pn+i Q ^n+i — -^«+i- 

def 

But this follows from the fact that r„+i = {Tn)\do7n{Tr,)\K-^{qr,+i) 
and Mn+i = {Mn ttl cr)|/5, where Z? is defined above in terms of 

K-^{qn+l). 

-) Let M^_^i (as in the previous direction) and we find a substitution 
a such that M^+i exists. We take again a' = a, and the proof is 
similar to that of the previous direction. 



D 
D 



B.2 Closure properties of GVAs 



The class of GVAs with e-transitions will be denoted by e-GVAs. We 
emphasize that the e-transitions are not guarded. 



Claim 4 For a e-GVA A^ there exists a GVA A (without e-transitions) 
satisfying L{A) = L{A'^). 



Proof. The construction of a GVA out of a e-GVA is more subtle than 
the construction known for FAs since we need to take into account the 
refreshing of the variables. We define an operator that transforms a 
e-GVA to an equivalent e-GVA with strictly less e-transitions. Thus the 
desired GVA without e-transitions is the least fixed-point of 0. Intuitively, 
the operator eliminates all the e-transitions which are preceded by a 
non e-transition. 

Assume A'' = (r, ;f , Q^ Q§,F^ 5^ k^). Let T{q) be the set of states 
that are reachable from state q by following an e-transition and let T{Q') = 
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{T{q)\q G Q'}, for Q' C Q^. Let 0{A') = {U,X ,Q,Qo,F,5,k) where: 

Q = Q" U (g^ X Q^) 
vri : V{Q) ^ P(Q^) 

vr2 : P(Q) ^ 7^(Q^) 

Qo = QlUT{Ql)U7T-\Ql) 
F = F^U T-^{F^) U vr^^F^) 
5 = {p ^ g e (5" I a / e} U {^1 ^ (^2, qs.) \ gi ^ ^2 A ^3 € 5" | a / e}U 

{(gi, 92) ^93 I 92 ^ g'3 e (^"l U {gi A g2 I ^go "^ gi s.t. a / e} 
K = k"" U (tT]"^ o k") U (tt^^ o k") 

In order to prove that L{0{A^)) = L{A^), it suffices to prove the 
following three Claims, the first one is straightforward: 

Fact 1. Every accepting run in A^ that does not follow any e-transition 
is still an accepting run in 6'(^^). Conversely, every accepting run in 
0{A'^) that passes only through states in Q^ is still an accepting run in 
A'. 

Fact 2. There exists a run 

qo,Mo'^qi,Mi^q2,M2 

in A^ with a 7^ e iff there exists a run 

qo,Mo''4{qi,q2),M^ 

in 0{A'') such that M2 = M^. 

Proof of the Fact 2. 

=^) From the definition of Q and 6 it follows that {qo,qi) G ^iqa^Oi), and 
it remains to show that M2 = M2. We only discuss the case when a is 
a letter in Z", the case when it is a variable can be handled similarly. 
On the one hand, M2 = Mi\£,^ where D2 = Dom(Mi) \ (K'^)^^(g'2), 
and Ml = (Mq l±l 'y)\Di where Di = Dom{Mo) \ K~^{qi) and 7 is 
a substitution such that 7 \= MQ{g). Hence M2 = Mop where D = 
{Dom{Mo)b:)dom{'y))\(^{K'^)^^{qi)U{K'^)~^{q2))- On the other hand, we 
haveM^ = (Mott)dom(7))\Z)', where D' = Dom{Mo)\K-^{{qi,q2)).It 
follows from the definition of k, the refreshing function of 0{A^), that 
'^"^(91,^2)) = {K')-Hql)^i^^')~Hq2)■ Hence, D = D' and M2 = M^. 

17 



<^) This direction is proved by following the same reasoning made in the 
direction (=^) on the refreshing function. 

This ends the proof of Fact 2. D 

Fact 3. Let qi € Q^ and {qo,qi) € Q- There exists a run 

qi,Mi'^q2,M2 

in A^ iff there exists a run 

{qo,qi),Mi'^q2,M2 

ine{A^). 

Proof of Fact 3. By checking the transition function 5. D 

To accomplish the proof, it remains to notice that if (7 G Q is such that 
g ^ vr^ (Q^), then the outgoing transitions from q in A"" are exactly the 
outgoing transitions from q in 0{A^). 

D 

Theorem 1. GVAs are closed under concatenation, Kleene operator and 
intersection. 

Proof. Let Ai = {i:i,Xi,Qi,ql,5i,Fi,tii) and A2 = {S2,X2,Q2,qo,S2, 
F2,K2) be two GVAs. Up to variable renaming it is sufficient to consider 
the closure under the above operations for two GVAs that do not share 
variables. 

The closure under Kleene operation and concatenation is a direct 
consequence of the fact that GVAs with e-transitions and GVAs recognize 
the same language, Claim 4 above. More precisely, the Kleene closure A* 
amounts to adding an (unguarded) e-transition between the accepting 
states and initial states of Ai- And the concatenation Ai ■ A2 amounts to 
adding an (unguarded) e-transition between the accepting states of Ai 
and the initial states of A2. 

The closure under intersection follows from the fact that the inter- 
section of two GVAs Ai and A2 denoted by Ai fl A2 can be defined as 
follows: 

AinA2 = (i^i u Ta, A"! u X2,Qi X Q2, gd x 9o> '^> -^i x -^2, «), 
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where 6 and k are defined by: 

'(^1,92) S '5((gi,g2),(ai,(ai = 02) Afifi A5f2)) iff g'^ € (51(91,01,5-1) and 
< q2 ^h{q2, 02,92) ■ 

,{Qi,Q2) & k{x) iff qi e Ki{x) or q2 £ K2{x). 

The proof that L{Ai) n L{A2) = L{Ai n A2) is straightforward. D 

Proposition 1. The complement of a regular language is GVA-recognizable. 
That is, given a FA F there exists a GVA A such that L{A) = X!*\L{F). 

Proof. The construction of A is similar to the one for FAs (over a finite 
alphabet). We assume that F is deterministic. Firstly, we make the com- 
pletion of F, i.e. we construct an equivalent GVA so that for each state q 
of F and for each letter / € U there is a unique transition outgoing from 
q that reads I. Secondly, we swap the accepting and non-accepting states. 
Formally, assume F = {U,Q,po,6,F), with Q = {qi, . . . ,qn}, and 
de&ne A = {S, X,Q' ,po,d' , F' , k) by 

X = {xi,...,Xn} 

Q' = QU{qii,qi2,i = l,...,n} 

F' = {Q \ F) U {qa,qi2,i = I, ■ ■ ■ ,n} 

d' = dU [qi — > qn \ tor ah Oj s.t. qi -^ qi/ e d\ U |%2 -> %2| 

^ K{Xi) = {qi2} 

Notice that F rejects a word if iff ^ accepts w. D 

B.3 Decision procedures for GVAs 

Theorem 2. For GVAs, Membership is NP-complete. 

Proof. Let A he a. GVA and w = wi ■ ■ ■ Wn a word in S*. 

For the upper bound of the membership, a non deterministic poly- 
nomial algorithm guesses a path in A of length \w\ such that the fi- 
nal state is accepting; and a series of substitutions (7i, . . . ,(T|^[, where 
cTj : <Y — > {wj, 1 < j < \w\}, then checks wether the corresponding run 
on w is possible. The lower bound, i.e. the NP-hardness, follows from the 
fact that the membership problem for GVAs without guards, i.e. GVAs, 
is NP-complete [3, Theorem 3]. The undecidability of the universality fol- 
lows from [8] since this problem is undecidable for the class of variable 
automata which is a subclass of GVAs. D 
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Nonemptiness 

Lemma 2. Let A = {U, X, Q, Qo,F, 5, k) be a GVA and A' = {U, X, Q' , 
Q'q,F' ,5' ,K.') be its stretched form. Then, 

i) There exists a run qo,Mo -^ ... ^" qn,Mn in A if, and only if, 
there exists a run {qQ,X),MQ -^^ ... ^" {qn,Xn),Mn in A' with 
Xn = X\Dom{Mn). 
ii) A variable x is free in a state {q,X) G Q' iff q G X . 

Proof. 

i) By induction on n. Since dom{MQ) = the case n = is trivial. 
Assume the claim holds up to n. Let us prove the equivalence for 

n + 1. 

^) Since (g„+i,X„+i) G (5'((g„, X„), Q„+i,5r„+i) by induction X„ = 
X\Dom{Mn)- Thus qn+i G ^{Qu-, <y.n+i-,9n+i)- The substitution Mn+i 
obtained is as expected. 

=^) Assume a transition qn,Mn " -^" g„+i,M„+i. From the defi- 
nition of 6' it follows that (g„+i,X„+i) G (5'((g„,X„), a„+i,5„+i). 

ii) Immediate from Item i) since for every configuration ({q,X),M) we 
have that x £ X [& x ^ Dom{M). 

U 

Lemma 3. There exists a run qQ,MQ -^ ... ^" q^Mn in A if, and 
only if, there exists a run {qo,true), Mq -^^ . . . ^^ (g„, (;^„), M„ in A/~ 
such that Mi \= (pi, for all i = 0, . . . ,n. 

Proof. By induction on n. Since dom{Mo) = and go = true the case n = 
is trivial. Assume the claim holds up to n. Let us prove the equivalence 
for n + 1. 

^) Since (g„+i,0„+i) G 5'((g„, (/>„), a„+i,5„+i) then g„+i G 6{qn,an+i,gn+i] 
where (/)„+i = {gn+i A </)„)" (9"+i). Thus g„+i G 6{qn,an+i,gn+i)- From 
the induction hypothesis we have 

M„ ^ (/.„, (2) 

and we know that there exists a substitution a such that On+i £ 
Dom{a) and 

M„+i = (att)M„)|o, and 
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where D = Dom{a 1+) Af„) \ k "^{qnJ^i). We must show that 

Since M„+i = (cr tt) (M„))|£) (Eq. 3), we must show that 

{a a (M„))|B h ^'i^'"^^^ A c/)^'^'"^^^ (4) 

On the one hand, it fohows from 3 that {a tt) {Mn))\D N dn+i""*^'' ■ On 
the other hand, from 2 we get (cr tt) (M„))|£) |= (/).^ W"+i^_ ^j^(;j ^g g^j.g 
done. 

=^) LetQ'n+i e (5(g„,a„+i,5'„+i). Hence (o'n+ij^n+i) € (5'((g'„, 0„), a„+i,5„+i) 
then g„+i G (5(g„, an+i,gn+i) where (/)„+i = (fi-n+i A</>n)'' ('?"+i). By using 
similar argument, the claim M^+i \= (pn+i holds. 

D 

Fact 3 If qqjMq -^ ... ^" qn,Mn is a run in A, where n > 1, then 
Mi h (jfj+i for all i = 0,- ■ ■ , n — 1. 

Proof. This is an immediate consequence of the definition of the run, 
since there are substitutions 7^ such that 7j tt) Mj \= gi+i- D 

Lemma 4. Let A be a GVA in the normal form. Let 

( V J. \ "I'^vl "n.S™ / V J. \ 

T^ = [qO,M,(PO) > ■■■ > (gn,A„,(/)„) 

be a path in A with (J)q = true and qq € Qq. Then, there is a run over vr 
iff I" <Pn and \- (pi A gi+i, for all i = 0, . . . ,n - 1. 

Proof. From Lemma 3 and Fact 3 it follows that there is a run 

tt'' = {qo,Xo,(l)o),Mo -^ ... ^^" {qn,Xn,(j)n),Mn 

iff Mi \= (pi for all i = 0, . . . , n, and Mj h Qj+i for all j = 0, . . . , n — 1. 
Therefore Mj h (pi, hence Mi \- (pi A gi+i. Thus we get \- (pi A gi^i for all 
i = 0, . . . , n — 1, and h (/>„. D 

Corollary 2. Xei A be a GVA in the normal form. Let tti o 712 o n^ be a 
path in A with r]f{'iTi) = r/o('/r2) = r]f{iT2) = ??o(03)- If there is an accepting 
run in A over vri o 7r2 o tt^ then there is an accepting run over tti o tts as 
well. 
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Proof. Let 

TTl = (go, -'^0, <POJ > ■ ■ ■ > [Qn, ^n, (Pn) 

T^2 = {qniXnAn) " ^4" ... '-^^^^ {qm, Xm, (t>m) = (Qn, ^n, (pn) 
T^2 = [qm,Xm, 9m) > ■■■ > [Qr, Xr, (pr) 

be paths in A and assume the existence of an accepting run over 7ri07r2 07r3 
then it fohows from Lemma 4 that h (pr and h (/)j A^j+i, for i = 0, . . . , r — 1. 
Hence h (pi A Qi+i, for i G [0, . . . , n — 1] U [m, r — 1]. That is, there is an 
accepting run over the path vri o vrs . D 



C Proofs for Section 5 

The definition of simulation preorder for GVAs fohows. 

Definition 11. Let Ai = {S,Xi,Qi,qQ,Ti,5i, Fi,ki) and A2 = {^,^^2, 
Q2,'lo,T2,62,F2, K2) be two GVAs where Xir\X2 = ^- -^ simulation of Ai 
by A2 is a relation < C {Cxi,E x Qi) x (Ca'2,-S ^ Q2) such that: 

- {ruql)<{T2,qi). 

— i/(o"i, (7i)<((T2, (72) andif^cTijqi) -^ {a[,q[) for a E U then there exists 
a state ((2 € Q2 such that {02, q2) — ^ {'^'2-'l2) '^"-^ ('^i;9i) ^ ('^2 5 ^2)- 

The claims in the following Lemma are not hard to prove. They will 
be used in the proofs of the main claims. 

Lemma 4. Let C C U be a finite set of letters, a and a two substitutions, 
X, and a a letter in C. The following hold. 

1. If a Nc a then \codoni{d-)\ = \codoni{a)\. 

2. If a N(7 a and D C Dom{a) then a^D N^ o-p, 

3. If {ai l±) 0-2) N (o"! l±) (T2) with dom{a,i) = dom{a,i), then ctj N ctj, for 
i = 1,2. 

4. If (7 ^c c and 'J is a substitution with dom{'y) D dom{a) = 0, then 
a l+)7 N(7 (T l±)7. 

5. If a Nc o" with d'{y) = a and o'{y) = a for some variable y, and 
X ^ dom{a) then a\±l {x >-^ a} N^ o" tt) {x 1-^ a}. 

6. If a N(7 o" and a ^ C U codom{a) and a ^ C U codom{a) and x ^ 
dom[a) then ct l±l {x 1— )• a} Np u l±l {x 1— )• a}. 

Notice that the opposite direction of the Item 3 of Lemma 4 does not 
hold in general. 
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Lemma 5. Let a and a be two substitution, where a N(7 a , and let g be 
a guard such that Eg C C. Then, a \= g iff a \= g. 

Proof. By induction on the structure of g in both directions. 

=^) If g = (a = x), where a £ U and x € Af, then cr(x) € C, hence 
a{x) G C. Therefore a{x) = a{x) = a. If g = {x = y), where x,y £ X, 
then from the definition of M^- we have that 0"(x) = cr(y) iff ct(x) = CT(y). 
Thus the claim holds. The case when g = gi /\ g2 follows from a direct 
application of the induction hypothesis. 

^) This direction follows from the fact that a N(7 cj iff a N^ a. 

D 

Corollary 3. Let a and a be two substitution, where a N^ a, and let g 
be a guard such that Ug C C. Then, a \- g iff a \- g. 

Proof 

=4>) We show that if there exists a substitution 7 such that dom{^) = 
V{g)\dom{a) and a \= 7(5'), then a \= ^{g). But this follows from Lemma 
5. 

^) This direction follows from the fact that \>^c is symmetric relation. 

D 

Corollary 4. Let a,a,^,^ be substitutions, where dom(^) ridom{a) = 
and dom{^)r\dom{a) = 0. Let g be a guard such that Eg C C . Lf a^j N^- 
a l±) 7 then we have that 7 |= a{g) ijf ^ \= o'{g). 

In what follows we let 81,82 be two (possibly infinite) sets of letters 
with|5i\52| > l-^l and \82\81\ > \X\ and Si n^i / 0. Let C = 5i n^a. 

In order to relate the instantiations of the variables in the game Q 
to the instantiation of the variables in the game Q, we need to introduce 
the function ©c*^' ^ : S,x,Si ^ ix,Si x ^^,82: that, given three substitutions 
M, 7 and M' such that dom{M) n dom{^) = and M \Ac M', constructs 
a substitution 7' = 0^'"^'(M, 7, M') such that M W 7 N^ M' tt) 7'. 

Definition 12. We define the functions 

as follows. Let Mi, 71 e ^x,Sr, M2 € Cx,S2- Then, 0^''^^{Mi,ji,M2) 
is defined only when |do77i(7i)| = 1 and dom{'yi) D dom{Mi) = and 
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Ml Nc M2 by: 



0^^'^^(Mi,7i,M2)= { 



71 ifli{x) G C 

{x ^^ M2{y)} if li{x) € codom{Mi) \ C and 

Mi(2/)=7i(x),yG^ 
{x ^ get{S2 \ codom{M2))} if 7i{x) G ^i \ (C U codom{Mi)) 



where domHi) = {x}. 

And@(j' ^(Mi,7i,M2) is defined only when dom{'ji) (1 dom{Mi) = by: 



''0^^'^^(Mi,7i,M2) 



©^^■^^(Mi,7i,M2) = <( 



ifllil = 1 



l5l,52|',,r_ |,| / // 



7^ W 0^1'*^ (Ml W 7^,7^', M2 a 72) if l7i [ > 2, 71 = 7^ W 7^' and \j[ \ 

where 7^ = 0^i"^2(Mi,7[, M2) 



Lemma 6. Let Mi, 71 G Ca'.Si ^'^'^ -^2 G ?A:',52 ^^ substitutions with 
dom{Mi) n fiom(7i) = and Mi N^ M2. M^e have that 

(Ml a 71) Mc (M2W0^''^'(^i' 71,^2)) 

Proof. By induction on [(iom(7i)| = 1. 



Base Case. If \dom{'^i)\ = 1 then assume dom{'yi) = {x} and let 72 



^Sl,S2 



@f^' ^(Mi,7i,M2). We distinguish three cases depending on 71 (x). 

— If 71 (x) € C then it fohows from the definition of 0(j' ^ that 72 = 7i- 
From the Item 4 of Lemma 4 we get Mi l±l 71 N^ M2 tt) 71. 

— If 71 (x) € codom{Mi) \ C then in this case we recaU that 72 = 
{x I—)- M2(y)} where Mi(y) = 71 (x) for some variable y ^ X. The 
claim that 

(Ml l±) {x h^- 71 (x)}) \Ac M2 tt) {x iH- M2(y)} follows from the Item 5 
of Lemma 4. 

— Otherwise, i.e. if 71 (x) S S*! \ (C U codom,{Mi)) then the claim that 
(Ml l+l {x h^. 71(2;)}) ^c {M2 tt) {x h-^ 56^(52 \ codom{M2))}) follows 
from the Item 6 of Lemma 4. 

Induction Case. Assume 71 = 71 tt) 71 with I7JI = 1. Let 



72^ 

7^' 
172 ■■ 



0^^'^^(Mi,7[,M2), and 
: 0^''^' (^1 ^ 7i ' 7i ' ^2 W 72) and 







Sl,S2 

c 



(Mi,7i,M2)= 72^72 
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Prom the induction hypothesis it follows that 

J Ml tt) 7^ Mc M2 tt) 72 

\ (Ml a 7^) tt) j'{ Nc (M2 tt) 7^) tt) 7^' 



Therefore 



Ml tt) 71 Nc M2 tt) 72 



D 



Lemma 7. Lei (Ti,(T2, 173,72 € Cx,Si anda,f3 &CL)X and a[,a2,cr'^ G 
Cx,S2 ^''^^ §2 ^ G he such that 



'72(o-2(/3)) = 0-3(0) 

0-3 tt) (T2 Nc CTg tt) CTg 

fji Nc fj'i 

72 N ^2(52) 
dom{(Ti) C dom{a-i) 
dom{a[) C dom{a'^) 



(5) 



There exists a function S^^ ' ^ 






(o-i, 0-2, 0-3, 72, a, /3, 52,0-1, 0-2, 0-3) h^ 72 



which is defined only if Eq (5) holds and satisfies the following: 

72(4(/5))=^3(«) 

(di a 71) w (c72 w 72) ^c (fx'i tri 7I) w (4 w 72) 

72 \= 0-2(92) 
Proof. The construction of "j-,^' ^ depends on 0-3(0) 



(A.l) 
(A.2) 
(A.3) 



I.) If 0-3(0) € C, then in this case we have 0-3(0) = 0-3(0) G C. Hence 
0-2 = 0-2- Thus (A.l) holds. Furthermore we let: 

7^ = 0^^"^'(a3Wa2,72,^3W4) 
From Lemma 6 it follows that 

0-3 tt) 0-2 ttJ 71 tt) 72 Nc 0-3 tt) 0-3 tt) 7i tt) 72 
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From Eq (5) we have dora{ai) C dom{a^) and dom{a[) C dom{a'^) 
and dom{ai) = dom{a[), hence it follows from Item 2 of Lemma 4 
that 

(7l l±) (72 tt) 72 Nc £7^ l±) (T2 1+) 72 

Therefore (A. 2) holds. Finally (A. 3) follows from Corollary 4. 
II.) If cr3(a) G 5i \ C, then a must be a variable, say yi G <^. We 
distinguish two cases depending on o"2(/3). 
i.) If (T2(/3) is a letter then in this case cr2(/3) = era (a), and we let 



4 = e^^'^^as a CJ2 W 71, 72, 4 W ^2 W 7i) 



72 

And we must show that <T'^{a) = 0-2 (/3). Notice that /3 must 
be a variable, say 1/2 G ^. On the one hand we have that 
{2/1 ^ cr3(a),y2 ^ o-2(^)} C fJ3tt)cr2 and {yi ^^ cr^(a),y2 ^ o-2(/^)} ^ 
CT3 ttJ (72. On the other hand, we have that (T3(a) = o"2(/5) and 
CT3tiJCT2 Nc a'^^a'2. Therefore <T^(a) = o-^(/3), thus (A.l), (A.2) 
and (A.3) hold, 
ii.) If o"2(/3) is a variable, say 2/2 S -^j then (T2(/3) = o"2(/3) = /3 = 
y2, since o"2 N a2- In this case we have {2/2 i-^ cr3(a)} ^ 72. 
Thus we let 

7^ = 0^i'^^(a3 a ^2 W {yi ^ a3(a)},72, a^ W a^ W {yi ^ 4(a)}) 

AndEqs (A.l), . . . , (A.3) hold. 
III.) If 173(0) is a variable, say xi G X, then 173(0;) = 0"3(o) = o = xi. 
We distinguish two cases depending on the nature of <72(/3). 

I.) If (72 (/3) is a letter then 172 (/5) is a letter as well since a'2^ (72. 

This case is dual w.r.t. case II. ii). 
II.) If cr2(/3) is a variable, say y2 G X, then o"2(/3) = (72(/3) = 
/? = y2 since (72 1X1 (72 • In this case we let 72 = O^^' ^{ai ttl 

(72,72,0-'i ttlcr^). 

D 

By using the functions and ^ and their respective properties stated 
in Lemmas 6 and 7 we are ready to prove that the games G and G are 
equivalent: 

Proposition 2. Let Ai = {Z!,Xi,Qi,qQ,Ti,6i,Fi,Ki) and A2 = (17, ^^2, 

Q2, '7o'''"2, '^2, -^2, ^2) ^e ii(;o GV^s. Then, Eloise has a winning strategy 
in G{Ai,A2) iff she has a winning strategy in ^(^1,^2)- 



26 



Proof. Up to variables renaming, we can assume that X\^ X2 = 0- For 
the direction "=^" we show that out of a winning strategy of Eloise 
in ^(^1,-42) we construct a winning strategy for her in ^(^1,^2)- For 
this purpose, we shall show that each move of Abelard in Q{Ai,A2) can 
be mapped to an Abelard move in Q{Ai,A2), and Eloise response in 
Q[Ai,A2) can be actually mapped to an Eloise move in Q{Ai,A2)- This 
mapping defines a relation TZ ^ between the positions of G{Ai,A2) and 
the positions of Q{Ai,A2) as follows: 

Tl Q Vose(Q{Ai,A2)) X Y>ose{Q{Ai,A2)) U 
Posa(^Mi,^2)) X ¥osa{Q{Ai,A2)) 
Furthermore, we impose that the following invariant holds: 

If (p, p) eU then p \Ac p, (Inv-M) 

where C = U_A-^UUji,2^codom{Ti)\Jcodom{T2). We recall that the variables 
in Q{Ai,A2) are instantiated from the set of letters Co = CU {Xi x X2) U 
[X2 X Xi). The proof is by induction on n, the number of the moves made 
in G{Ai,A2) plus the number of moves made in Q{Ai,A2)- The base case, 
i.e. when n = 0, trivially holds since the starting position of Q{Ai.,A2) 

widoiQ{Ai,A2) is ((ri,g^), (r2,go))A- 

For the induction case let (p„, p„) € IZ. We consider two possibilities: 
when p„ and pn are both Abelard positions and when they are both 
Eloise positions. 

i) Consider the first possibility and an Abelard move rh = pn ^ Pn+i 
in Q{Ai.,A2)- In this case we have fh G Ma and fh is of the form: 

m = {{ai,qi),{a2,q2))^ ^ (((^-i ^l)\D^Qi)d^2,q2),{^i ^l,9i))^ 
I q'ieSi{qi,a,gi) 

and D = Dom{ai t+J 7) \ K^^{q'i) 
and cTi l±) 7 h (j(i 
and7:V(ai(5i))\V(cTi(a))^Co 

From the induction hypothesis we have p„ N^ pn- Hence p„ = 
(('7i)9i)) ('^2,Q'2))a, for two substitutions <ti,(T2 where (ai tt) 0-2) ^c 
(o"! l±l (T2). Thus Abelard move in Q{Ai.,A2) is 

rh = ((0-1, gi), (0-2, ^2))^ -^ (((c^i tf 7)|D' 9i)' ('^2, 92), {en W 7))e 



More precisely, if (p, p) G IZ, and the move p — > p' is mapped to p — > p', or p — > 
is mapped to p — > p', then (p', p') e 7?. 



27 



where 7 : V{(Ji{gi)) \ 'V(q) — )• Z" is defined by 

7 = 0gO'^(aiWa2,7,aia(T2). (6) 

Indeed, notice that since ai N^ o"i then dom{'y) = dom{'y). Further- 
more, we must show that 

fji a 7 h 51 (7) 

and that the invariant (Inv-N) is maintained, i.e. to show that pn+i ^c 
pn+i, that is to show that: 

((ai a 7)p u (ai a 7)) a ^2 ^^ ((en a 7),^ u (ai a 7)) a a2. (8) 

From the definition of 7 in Eq (6) and by applying Lemma 6 we get: 

(ai a 0-2) a 7 Xlc (cTi a 0-2) a 7. Therefore, 

(cti a 7) a CT2 xic (o"i a 7) a (72 (9) 

On the one hand, it fohows from the Item 3 of Lemma 4 that (cti a 
7) I^c (o"i a 7). Since we aheady have cti a 7 h 511, then it fohows 
from CoroUary 3 that ui a7 h gi. Thus Eq (7) is proved. On the other 
hand, since M\d C M for any substitution M and any D C dom{M), 
then Eq (8) fohows from Eq (9). 
ii) Secondly, we consider the possibility when both p„ and pn are Eloise 
positions. We consider an Eloise move m = pn ^ Pn+i in ^(-^11-^2), 
and we describe the corresponding Eloise move in Q{Ai,A2)- 
In this case we have m G Me, and m is of the form: 

m = ((cri,gi), (0-2,92), (0-3, a))E -^ ((0"l,9l),((0-2 tt)72)|D2>92))A 

I q2^ h{q2,^,92) 

and D2 = Dom{a2 a 72) \ ^2 {q'2) 

and 71(0-3(0)) = 72 (0-2 (/3)) 

and 72 \= 0-2(52) 

and 72 : V(a2(/3)) U V{a2{g2)) ^ ^ 

From the induction hypothesis we have that p„ N^ pn, therefore 
Pn = ((o-i,gi), (0-2,92), (0^3, a, fl'i))^, for substitutions 0^1,0^2,0^3, such 
that ((ai U as) a 02) ^c ((f^i U 0-3) a 0-2). 



The corresponding move m in G{Ai,A2) is: 

rn= ((o-i,gi), (0-2,^2), (0^3, a))E ^ ((^^i) 9i), ((^2 tt) 72)|D2>92))a 
and 71(0-3(0)) = 72 (5-2 (/3)) 
and 72 ^ 0^2(52) 
and 72 : V(a2(/3)) U V(CT2(r72)) ^ Co 

where 72 is defined by 

72 = ^c'^°{cri,cr2,a3,j2,a,l3,g2,o-i,a2,a3) 

From Eq (A. 2) of Lemma 7 we get 

O"! I+I (72 l±) 72 ^C CTi l±) CJ2 tt) 72 

From the Item 2 of Lemma 4 it follows that the invariant is main- 
tained, i.e. 

ai tt) ((T2 tt) 72)|D2 ^C ^1 W (0^2 W 72)|D2 

The proof of the direction "<^" is dual w.r.t. the proof of the direction 
"^". That is, it can be obtained by replacing Eloise by Abelard, and 
Abelard by Eloise and keeping the same instantiation strategy and the 
definition of the N-coherence. This ends the proof of the Proposition. D 
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D Proofs and definitions for Section 6 

D.l GVAs vs. variable automata of [8] 

In this subsection we show that for every variable automata we can con- 
struct a GVA recognizing the same language. Firstly, we recall the defi- 
nition of variable automata of Grumberg et al. [8] . 

Definition 13. A variable automaton is a tuple B = {^,X U {y},i?), 
where U is an infinite set of letters, X U {y} is a finite set of variables, 
and B = {Eb U ^ U {y},Q,Qo,6,F) is a finite automaton, called the 
pattern automaton, with the finite set Sb C U. 

The main idea is that the variables in A" U {y} range over U \ Eb, 
and the instantiations of y differ from the instantiations of the variables 
in X. The formal definition of languages recognized by variable automata 
follows. 

Consider a (symbolic) word v = ^1^2 . . .Vn & {^b U A" U {y})* recognized 
by B, and another word w = W1W2 ■ ■ ■ Wn & E* ■ We say that tf is a legal 
instance of v in B if the following holds: 

— Vi = Wi for every Vi G Ub, 

— For Vi,Vj E X, it holds that Wi = Wj iff Vi = Vj, and Wi,Wj ^ Sb and 

— For Vi = y and Vj ^ y, it holds that Wi ^ Wj. 

Intuitively, a legal instance of v leaves all occurrences of Vi G Eb 
unchanged, associates every occurrence of Vj G X with the same unique 
letter, not in Ub, and associates every occurrence of y freely with letters 
from U \ Eb, different from these associated with X variables. 

Lemma 8. For every variable automaton B we can construct a GVA A 
such that L{A) = L{B). 

Proof. Let B = {U, X U {y}, B) be a variable automaton with B = {Eb U 
X U {y}, Q,Qo,6t3,F) as pattern automaton. For a variable x € X, define 
the guards 

<Px = /\{ix ^z) I Z(^Eb} 

4>y = l\{{y^z) I zeEByjx} 

Out oiB we can construct an equivalent GVA A = {E, X(j{y}, Q, Qo,^, Sj[,F, k), 
where the transition function 5^ is defined by: 

Q2 G Si3iqi,a) iff 92 G SAiqi,a), with a e Eb 
q2 G 6t3{qi,x) iff 92 G 5Aiqi,x,(j)x), with x G X 
^q2^SB{qi,y) iSq2^SA{qi,y,4>y)- 
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And the refreshing function k is defined by: 

= 0, for all X G X, and 

--{q I 3q' eQ,gGG s.t. q' G SA{q,y,g)} 

Claim 4 Consider a word v = ^1^2 ■ ■ -Vn G {^b U ^ U {y})* that reads 
along B, and another word w = W1W2 ■ ■ -Wn G ^* ■ There exits a run 
qo,MQ -^ . . . ^ qn,Mn in A over w where Mq = % iff w is a legal 
instance of v in B. 

Proof (Of Claim 4)- The proof is by induction on n in both directions. 
The case n = trivially holds. Assume that the claim holds up to n, and 
let's prove it for n + 1. 

=^) Assume a transition qn+i G 6_A(qn,an+i,gn+i) in A. From the def- 
inition of the transition function (5_4, we have qn+i G fe(9rn«n+i)- We 
distinguish three cases depending on a„+i: 

— If a„+i is a letter in U, then this case is immediate. 

— If On+i is a variable x ^ X, then in this case we recall that gn+i = (f'x, 
where (px is defined above. We distinguish two cases: 

• If Vi < n, Oi 7^ y: in this case the transition in B is possible since 
(px implies that Wn+i ^ ^b- 

• Otherwise, that is, let ni, . . . , n^ G {1, . . . , n} be all the indexes 
such that am = y for all I = 1, . . . ,m. Since the variables x is 
never refreshed, then for Vi,Vj G Af, it holds that Wi = Wj iff 
Vi = Vj. From the definition of (pan = A(b es )(^ 7^ ^k)i we get 
Wi,Wj ^ Ub- Thus w is a legal instance of v. 

— If a„+i is the variable y, then recall that y is refreshed in the state 
qn of A and gn+i = 4'yi where (py is defined above. In this case we let 
X = X' ^ dom{Mn). Since M^ \~ (f>y, then for all x G dom{Mn) we 
have that Wn+i 7^ M„(x), and for all hj. G Ub^ Wn+i 7^ ^fc- Hence for 
all Vj ^ y we have that Wi 7^ u;^. 

<=) Assume a transition g„+i G 6t3{qn,Oin+i)- From the definition of the 
transition function 6_a, we have that qn+i G 6_A{qn, On+i, gn+i) in -4, for 
some guard gn+i £ G. We distinguish three cases depending on Un+i'- 

— If a„+i is a letter in Z", then in this case gn+i = true, and we are 
done. 

— If On+i is a variable x £ X, then in this case we have that for Vi,Vj G 
X, it holds that Wi = Wj iff Vi = Vj, and Wi,Wj ^ Eb- We recall that 
gn+i = </'xj where (/>2: is defined above. We distinguish two cases: 
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• If Vz < n, ai ^ y: in this case the transition in A is possible since 
Wn+i ^ ^B imphes that (px- 

• Otherwise, that is, let rii, . . . , rim £ {l, ■ ■ ■ ,n} be all the indexes 
such that an = y- In his case Since for all Vi,Vj € X, it holds that 
Wi = Wj iff Vi = Vj , and Wi , liJj ^ i^^ then ^^^ holds as well. 

— If an is the variable y, then for all Vj ^ y, it holds that Wi 7^ Wj. Since 
gn+i = (/"ly, then M„ h i;^^. Thus, the transition in A is possible. 

D 
D 

D.2 GVAs vs. FMA 

We recall the formal definition of the computations of FMA. 

Definition 14. Let F = {U,Q,qo,T, q,6,F) be a FMA. A configuration 
is a pair {q, R) where q £ Q and {1, . . . , k} : X ^ U is an assignment. We 
define a transition relation over the configurations as follows: let a € U, 
then, {q,R) — )• {q',R') if there exists i £ {1, . . . , A;} and q' € S{q,i) such 
that: 

1. a = R{i) and R = R' , or 

2. a ^ codom{R), Q(q) = i, R'{i) = a, and R{j) = R'{j) for all j ^ i. 

A finite word w = W1W2 . . . Wn £ ^* is recognized by F iff there exists a 
run (go, Ro) — ^ {qi, Ri) -4- . . . -^ {qn, Rn), such that Rq = t, qo £ Qq and 
Qn £F. 

Before proving that GVAs are more expressive than FMA (i.e. Lemma 
9 below), let's give the idea behind the proof: We next show that for every 
FMA with k registers and n states, we can construct a GVA with k + 1 
variables and 0{n-{k+l)\) states recognizing the same language. The idea 
is that k variables, say {xi, . . . ,2;^}, are used to mimic the k registers, 
say {1, . . . , k}, and the remaining variable, say x^+i, is used to store the 
current letter. 

The problem is, while a FMA checks that the current letter does not 
occur in any register and rewrites this letter in a register (i.e. Item 2 in 
Def. 14), a GVA cannot — a priori — mimic these two operations through 
only one transition. Our solution consists changing the correspondence 
between the k registers and the k + 1 variables. That is, instead of copying 
the value of the extra variable Xk+i (i.e. the current letter) to the variable 
Xi that corresponds to the register i, the role of the variables Xi and Xk+i 
is swapped: the variable x^+i will correspond to the the register i, and 
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Xi will play the role of the extra variable that will be used for storing the 
current letter. 

For the formal proof, we need to introduce some notations. Let /c G N. 
Let X = {xi, . . . , Xk+i}- We denote by ^''''^ the set of all injective total 
functions from [k] to X. We define V by ^l^{i) = Xj for all i £ [k]. If 
i/j € 1^^''^, then we denote by A'('0) the unique variable x such that there 
is no j G [k] where ip{j) = x. Thus, for a fixed i G [k], we define the 
function V'* ■ N — > X by ^^{i) = X{il)) and V'*(i) = V'(i) foi" a-H J 7^ ^• 
If M : ,^ ^- Z" is a substitution, R : [k] ^>- X! \s an assignment, and 
^ £ iP'fc-'^^ then we shah write M =^ i? iff \dom{M)\ = \dom{R)\ and for 
all j G [A:] we have that M(^(j)) = i?(j). 

Lemma 9. For every FMA T with k registers, there exists a GVA T' 
with k + 1 variables such that L{F') = L{T). 

Proof. Let F = {U, k, Q, qo, r, g, S, F) be a FMA. We define J" to be the 
GVA F' = {U, X, Q', q'o,T', 6', F', k) defined by: 

' X = {xi,...,Xk+i} 
Q' = {(g, ^) I g G Q and V- e 'F'''^} 

qo = {qo,'$) 

t' = {V'(i) ^ aj ! r(j) = aj Vj G [k]} 
{F' = {{q, ^) I g G F and V G 'F'''^} 

and 

(g',V) e6'{{q,^l;),X{^l^),{X{iJ)=iJ{i))) and 
(g',#) G5'{{q,^P),X{^P),/\^^^,^{X{^P)^^Pij)))withi = giq) 
iff 
^'G(5(^,i) 

Finally, the refreshing function k is defined by k{x) = {{q, 'ip)\x = X{ip)}. 
Fact 5 Let w = wi . . . Wn be a word in Z"". There exists a run 

(go, ^o), ^0 "^^ • • • "^" {qn, Tpn),Mn 

in T' over w, in which Mq = g' and "ijjq = ip, iff there is a run 

qo, -Ko > • • • > qn, JrCn 

in T over w, in which Rq = g, such that Mi =^. Ri for all i = 0, . . . ,n. 
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Proof (Of Fact 5). By induction on n. The case n = follows from the 
definition of q' and ij). In other words, we have that g' =2 g. Assume the 
claim holds up to n. Let us prove the equivalence for n + 1. 

=4>) Assume (q'„+i,^„+i) G 5'((g„, V'n),'^(V'n),fi'n)- We distinguish two 
cases depending on the nature of this transition, i.e. depending on Qn- 

— li Qn = {X{'ipn) = V'(^)) then it follows from the definition of 5' in Eq 
(10) that V'n+i = ^n and iqn,tpn) S K{X{ipn)) and Qn+i G S{qn,i). On 
the one hand, we have that M„+i = M^ since the variable X{ipn) is 
refreshed in both states {qn,ipn) and {qn+i,ipn)- From the induction 
hypothesis we have M„ =^^^ Rn- Thus M{ip{i)) = R{i) = Wn+i- It 
follows from the definition of the configurations for FMA that the 
Case 1 in Def. 14 is applicable and hence i?„ = Rn+i- Finally, the 
invariant M„+i =^„_,_i Rn+i holds, since M„ = Mn+i and Rn+i = Rn 
and ipn+i = ipn- 

— If (7„ = /\j^iui'>Pn{j) / '^{'>Pn)) then it follows from the definition of 
6' in Eq (10) that Vn+i = V'n and g„+i G S{qn,i) and £»(pn) = «• 
From the induction hypothesis we have that Mn — ^„ Rn- Since M„ tt) 
{-^(V-n) ^ t«„,+i} N Aje[fc](^i ^ ^ii^n)) and -^(V-n)) ^ dom{Mn) 
then for all j G [A;] we have Mn{ipnij)) 7^ it'n+i- Hence, 

ii(i) / R{s) Vi / s, and Rn{i) = M„(x^„(i)) (11) 

It follows from the definition of the configurations for FMA that the 
Case 2 in Def. 14 is applicable. Hence Rn+i{j) = Rnij) for all j ^ i 
and Rn+i{i) = Wn+i- It remains to show that Mn+i —ip^+i Rn+i, 

where Vn+i = V'n- 

On the one hand, from the definition of the run for GVAs we have 

(12) 



Mn+iiipnii)) =w„+i, and 

Mn+i{MJ)) =Mn{MJ)) ViG[A:]\{i} 



On the other hand, it follows from the definition of f/'n that 

fC(0 =A'(V'„), and 
\C(i) =^n{j) VjG[A;]\{i} 

From (12) and (13) we get 



(13) 



Mn+i{i>n+i{i)) = Mn+iii'nii)) = M„+i(A'(?/;„)) = Wn+1 = Rn+i{i), and 

M„+i(V'n+l(j)) = M„+i(C(j)) = Mn+l{MJ)) 

= MniMJ)) = Rn+lU) Vi G [k] \ {i} 
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Hence, M„+i =^„+i Rn+i- 

i=) Assume qn+i G S{qn,i)- We distinguish two cases depending on the 
transition made in J^ (i.e. the same two cases in Def. 14): 

— If w„+i = Rn{i) and in this case Rn+i = Rn- From the definition 
of 5' in Eq (10) we have {qn+i,ipn+i) G S'{{qn,ipn),X{tpn), {X{tpn) = 
V'n(^)))- Since the variable X{ipn) is free in state {qni4'n) then the 
latter transition is possible. Thus we get M„+i = M„ and V'n+i = 
V'n. From the induction hypothesis we have M„ =^^ i?„. Hence, 

Mn+l — ^„+i Rn+l- 

— If Wn+i ^ codom{Rn), q{p) = i, and in this case Rn{j) = Rn+iU) fo^ 
all j ^ i. From the definition of 6' in Eq (10) we have 

(g„+l,V;+i) G y(((?n,^n),-^(V'n), A ('^(V'") ^ Mj))) 

We show that this transition is possible. Since the variable X(ipn) 
is refreshed in the state (qnji'n), then we must show that M„ |= 
Ajg[fc](^n+i / V'n(j)), i-e. that f\j^^^{wn+i / M„(V'„(i))) holds. But 
since Wn+i ^ codom{Rn) and M„ =^^ i?^, then Wn+i ^ codom{Mn) 
as well. Thus, /\ ^[^^(tfJra+i 7^ Mni^JniJ))) holds. It remains to show 
that Mn+i — i/)„+i Rn+i- But this is the same as the proof of the second 
case of the direction (=>). 

D 
D 
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